A variety of security techniques are known for protecting information in and controlling the operation of a computing device such as a personal computer (“PC”), a server or a mobile device. For example, physical and/or cryptographic techniques may be employed to control access to the computing device and to data stored in the computing device.
Physical security techniques may include locating the computing device in a secure location, locking the computing device in an enclosure, protecting integrated circuits (i.e., chips) from invasive monitoring by encapsulating the chips in, for example, an epoxy.
Cryptographic techniques may include one or more of encryption, decryption, authentication, signing and verification. In some applications data encryption and decryption techniques may be used to prevent unauthorized applications or persons from accessing data stored in the computing device. For example, security passwords that are used to restrict access to a PC may be stored on the PC in an encrypted form. The operating system may then decrypt the password when it needs to compare it with a password typed in by a user.
In some applications, authentication techniques may be used to verify that a given set of data is authentic. For example, when a server receives a message from a remote client, authentication information associated with the message may be used to verify that the message is from a specific source. In this way, the server may ensure that only authorized clients access the applications and data provided by the server.
Various standards have been developed to enhance the level of trust for users of computing systems. For example, the Trusted Computing Group organization has developed standards for a platform known as a trusted platform module (“TPM”). A TPM may provide a set of cryptographic capabilities that enable certain computer functions to be securely executed within the TPM environment (e.g., hardware). In a typical embodiment, a TPM (e.g., an integrated circuit incorporating TPM hardware and code) may be incorporated into a computer. Also, requirements such as FIPS 140-2 have been developed that relate to methods of upgrading firmware using approved authentication techniques.
The secure protection provided by systems such as TPMs may make it more difficult to upgrade the systems in the field. For example, in some applications the upgrade process must satisfy the system's security requirements or the upgrade may need to be performed by actually replacing one or more components in the system. These factors may adversely affect the cost of the system. Accordingly, a need exists for improved techniques for upgrading secure systems.